This chapter is from the book

This chapter is from the book

This chapter covers the following official CompTIA Security+, SY0-301 exam objectives:

Exemplify the concepts of confidentiality, integrity, and availability (CIA)

Explain risk-related concepts

Carry out appropriate risk mitigation strategies

Explain the importance of security-related awareness and training

(For more information on the official CompTIA Security+, SY0-301 exam topics, see the “About the CompTIA Security+, SY0-301 Exam” section in the Introduction.)

The traditional “C-I-A Triad” of security directives includes maintaining the confidentiality, integrity, and availability of data and services. Threats to these three principles are constantly present and evolving. Defensive measures must be put into place to mitigate risk within the enterprise. This chapter examines risk, mitigation strategies, and the value of security-awareness training in managing risk.

Exemplify the Concepts of Confidentiality, Integrity, and Availability

CramSaver

If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.

Which element of the C-I-A Triad is addressed by biometric controls?

Off-site backup tapes ensure which element of the C-I-A Triad?

Battery backup power supplies (UPSs) support which element of the C-I-A Triad?

Answers

Confidentiality. Access control mechanisms such as biometric authentication systems ensure that data confidentiality is maintained.

Availability. Backup media is used to restore data lost, corrupted, or otherwise at risk of becoming unavailable.

Availability. Loss of power prevents services from remaining available to authorized access requests.

Confidentiality

The first principle of information security is that of confidentiality. Confidentiality involves controls to ensure that security is maintained when data is both at rest (stored) and in use (during processing and transport) to protect against unauthorized access or disclosure.

Confidentiality controls include physical access controls, data encryption, logical access controls, and management controls to put in place policies to protect against shoulder surfing, social engineering, and other forms of observational disclosure. We discuss individual access control mechanisms later in this book; this chapter addresses them only in terms of risk mitigation.

ExamAlert

Some questions might include controls that fulfill more than one principle of security, such as access controls that protect both confidentiality and integrity by limiting unauthorized access to examine data (confidentiality) and to modify data (integrity), or malware defenses that protect against key loggers (confidentiality) as well as drive deletion logic bombs (integrity). In these cases, it is best to look for additional details that can reveal the best answer.

Integrity

The second principle of information security is that of integrity. Integrity involves controls to preserve the reliability and accuracy of data and processes against unauthorized modification. Integrity controls include malware defenses protecting against data corruption or elimination, validation code that protects against code injection or malformed data input, data hashing validation identifying modifications, and limited user interface options controlling the types of access available to data.

ExamAlert

Integrity is focused on preserving data against unauthorized modification, which might include deletion, but controls for recovery in the case of deletion might fall more accurately into the Availability arena.

Availability

The final principle of information security is that of availability. Availability involves controls to preserve operations and data in the face of service outages, disaster, or capacity variation. Availability controls include load balancing systems, redundant services and hardware, backup solutions, and environmental controls intended to overcome outages affecting networking, power, system, and service outages.

Cram Quiz

Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.

Which two of the following support the preservation of data availability?

Cram Quiz Answers

A and D. Environmental controls such as anti-static carpeting aid in protecting against system failure and so preserve availability of data and services. Physical access controls protect against system theft, destruction, or damage. Answer B is incorrect because firewalls restrict access data and services, and although deletion is possible, this control is focused on preserving confidentiality and integrity. Answer C is incorrect because mirrored windows protect confidentiality by preventing observation of displayed data, user keystrokes, and other information of potential interest.

A. Malware defenses such as antivirus services protect the confidentiality and integrity of data by eliminating viral agents that could otherwise capture keystrokes, relay webcam audio/video, or modify data and services. Answers B and C are incorrect because malware defenses are not focused on the preservation of data and service availability beyond preventing outright wipe of the infected system. Answer D is incorrect because accuracy and reliability are data qualities within the Integrity principle, not directly parts of the C-I-A Triad.

A and B. Regular password expiration protects against reuse of compromised passwords and mitigates brute-force attacks by changing keys before all combinations can be tested. These actions protect access controls over data review and modification, preserving confidentiality and integrity of data. Answer C is incorrect because password expiration does not directly affect data and service availability. Similarly, answer D is incorrect because data longevity is unrelated to passwords and exists only as business operations allow. Some data might be updated many times every minute whereas other data remains static for years.